Help: OpenSSH cannot login by Kerberos

Brian Candler B.Candler at pobox.com
Sat Jun 11 13:09:23 EDT 2011


On Sat, Jun 11, 2011 at 02:18:57PM +0800, Lee Eric wrote:
> # Kerberos options
> KerberosAuthentication yes

Aside: note that you almost certainly don't want this.
"KerberosAuthentication" means "cleartext password authentication, checking
the password against the KDC"

To authenticate people using their Kerberos ticket you need:

> GSSAPIAuthentication yes

(which you already have), and preferably also:

GSSAPIKeyExchange yes

(this is a second form of ssh Kerberos authentication which takes advantage
of Kerberos mutual authentication, to authenticate the server to the client
as well as the client to the server. It means you don't need the known_hosts
file, and the user is never prompted whether or not to accept the host key
fingerprint when first connecting)

> UsePAM yes

You probably don't want that, unless you're also authenticating against PAM
in the event that Kerberos fails.

> And on client side, I'm getting the principle of the user huli then
> try to login.

> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'

That's broken; you should rm that file (or mv it out of the way). You can't
use a PGP key or an X509-style private key as an SSH key.

Regards,

Brian.



More information about the Kerberos mailing list